First Wave Marine Services

TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk

Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 1 of 10

Section 3 ‐ Risk Management

3.1 Scope

The scope of this section is to establish the Risk Management process for Cyber Security
on board the vessel.

3.2 Assessing Cyber Security Risk:

The level of cyber risk will reflect the circumstances of the Ship (its operation and trade),
the IT and OT systems used, and the information and/or data stored. The maritime
industry possesses a range of characteristics which affect its vulnerability to cyber
incidents:
 The cyber controls already implemented by the company and onboard its ships.
 Multiple stakeholders are often involved in the operation and chartering of a ship
potentially resulting in lack of accountability for the IT infrastructure.
 The ship being online and how it interfaces with other parts of the global supply
chain.
 Ship equipment being remotely monitored eg. by the producers.
 Business‐critical, data sensitive and commercially sensitive information shared with
shore‐based service providers.
 The availability and use of computer‐controlled critical systems for the ship’s safety
and for environmental protection.

3.3 Risk/impact assessment by CIA Model

3.3.1 The CIA Model ‐

The confidentiality, integrity and availability (CIA) model provides a framework for
assessing the impact of:
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 2 of 10

 Loss of Confidentiality (C), unauthorized access to and disclosure of information or

data about the ship, crew, cargo and passengers.
 Loss of Integrity (I), which would modify or destroy information and data relating to
the safe and efficient operation and administration of the ship.
 Loss of Availability (A), due to the destruction of the information and data and/or
the disruption to services/ operation of ship systems.

The relative importance of confidentiality, integrity and availability changes depending

on the use of the information or data. For example, assessing the vulnerability of IT
systems related to commercial operations may focus on confidentiality and integrity
rather than availability. Conversely, assessing the vulnerability of OT systems onboard
ships, particularly safety critical systems, may focus on availability and/or integrity
instead of confidentiality.

3.3.2 Potential Risk/Impact Levels by CIA Model ‐

Potential Definition In practice
Risk/Impact

Low The loss of confidentiality, integrity,
or availability could be expected to
have a limited adverse effect on
company and ship, organizational
assets, or
individuals
A limited adverse effect means that a security breach
might: (i) cause a degradation in ship operation to an
extent and duration that the organization is able to
perform its primary functions, but the effectiveness of the
functions is noticeably reduced; (ii) result in minor
damage to organizational assets; (iii) result in minor
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 3 of 10

Moderate The loss of confidentiality, integrity,
or availability could be expected to
have a substantial adverse effect on
company and ship, company and
ship assets, or individuals
High The loss of confidentiality, integrity,
or availability could be expected to
have a severe or catastrophic
adverse effect on
company and ship operations,
company and ship assets, or
individuals.
financial loss;
or (iv) result in minor harm to individuals.
A substantial adverse effect means that a security breach
might: (i) cause a significant degradation in ship operation
to an extent and duration that the organization is able to
perform its primary functions, but the effectiveness of the
functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant
financial loss; or (iv) result in significant harm to
individuals that does not involve loss of life or serious life
threatening injuries.
A severe or catastrophic adverse effect means that a
security breach might: (i) cause a severe degradation in or
loss of ship operation to an extent and duration that the
organization is not able to perform one or more of its
primary functions; (ii) result in major damage to
organizational assets; (iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life‐threatening injuries.

Table 2 ‐ Potential impact levels by CIA Model

Shipboard System Confidentiality Integrity Availability Overall Impact

IT or OT system Low High High High
Table 3 – Example of Potential impact level by CIA Model

3.4 Risk assessment by the Company

The risk assessment process starts by assessing the systems on board. Risk to IT and OT
systems may include:
 Deliberate and unauthorized breaches
 Unintentional or accidental breaches
 Inadequate system integrity, such as firewalls and/or virus protection.
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 4 of 10

Systems with direct or indirect communication links, which may be vulnerable to

external threat or inappropriate use, shall be identified and the risks shall be mitigated
by including appropriate protection measures.

During initial assessment of Cyber Risk on board as vessel, the Company shall complete
a Ship Cyber Security Assessment (SCSA) [Appendix ‐ 4] to map the robustness of
systems on board and to determine measures to handle the current level of cyber
threats.

A Ship Cyber Security Assessment (SCSA) for the vessel shall include:

 identification of IT and OT systems that are vulnerable, the specific vulnerabilities

identified, including human factors, and the policies and procedures governing the use
of these systems (the identification should include searches for known vulnerabilities
relevant to the equipment, the current level of patching and firmware updates)
 Identification of existing technical and procedural controls to protect the onboard
IT and OT systems.
 identification and evaluation of key ship board operations that are vulnerable to
cyber‐attack and possible cyber incidents.
 Identification of contingency plans and recovery measures for the Cyber incident.

The procedures and service providers of onboard equipment and systems shall be
referred to understand the technical and procedural controls to address cyber security.
Further, any identified cyber vulnerability in the factory standard configuration of a
critical system or component should be disclosed to facilitate better protection of the
equipment in the future.

The Ship Cyber Security Plan and the Ship Cyber Security Assessment (SCSA) shall be
reviewed Annually by the Master/SCSO, to identify any gaps and enhance cyber
security protection measures.

Recordkeeping:

Appendix 5 – Ship Cyber Security Assessment (SCSA)

First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 5 of 10

3.5 Risk assessment by Third‐party‐

Where felt necessary, Company may complement their own risk assessment by third‐
party risk assessments to drill deeper, and identify the risks and the gaps.

Penetration tests of critical IT and OT infrastructure may be performed to identify

whether the actual defense level matches the desired level. Such tests can be
performed by external experts simulating attacks using both IT‐systems, social
engineering and, if desired, even physical penetration of a facility’s security perimeter.
These tests are referred to as active tests because they involve accessing and inserting
software into a system. This may only be appropriate for IT systems. Where risk to OT
systems during penetration testing is unacceptable, passive testing approaches should
be considered. Passive methods rely on scanning data transmitted by a system to
identify vulnerabilities. In general, no attempt is made to actively access or insert
software into the system.

Software enhancements shall be considered, where felt necessary based on above

results.

3.6 Risk assessment by Vessel

Where it is felt that a threat may exist to the Cyber Security of the vessel while doing an
activity which is not already covered by the Ship Cyber Security Assessment (SCSA), the
Master/SCSO shall initiate risk assessment case by case and seek approval from the
Company. Such scenarios may include:

 Risk from Third Party Access to ship systems

 Risk from allowing use of Personal and Portable devices (BYOD).
 Risk from Bring your own device (BYOD), using portable devices.
 Management of Change (MOC)
 Risk after a Cyber Security Incident.
 Other scenarios/activities which may pose threat to ship’s Cyber Security.
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 6 of 10

Such risk assessments shall be completed using the risk assessment templates provided
on the Company database and sent to DPA for review.

3.6.1 Risk from Third‐party access to ship systems

Visits to ships by third parties requiring a connection to one or more computers on

board can also result in connecting the ship to shore. It is common for technicians,
vendors, port officials, marine terminal representatives, agents, pilots, and other
technicians to board the ship and plug in devices, such as laptops and tablets. Some
technicians may require the use of removable media to update computers, download
data and/or perform other tasks. It has also been known for customs officials and port
state control officers to board a ship and request the use of a computer to “print official
documents” after first inserting an unknown removable media.

3.6.2 Risk from allowing Remote Access to ship systems

Some IT and OT systems are remotely accessible and may operate with a continuous
internet connection for remote monitoring, data collection, maintenance functions,
safety and security. These systems can be “third‐party systems”, whereby the contractor
monitors and maintains the systems from a remote access. These systems could include
both two‐way data flow and upload only. Systems and work stations with remote
control, access or configuration functions could, for example, be:
 Bridge and engine room computers and work stations on the ship’s administrative
network.
 Cargo such as containers with reefer temperature control systems or specialized
cargo that are tracked remotely. (Food Containers)
 Stability decision support systems.
 Hull stress monitoring systems.
 Navigational systems including Electronic Navigation Chart (ENC) Voyage Data
Recorder (VDR), dynamic positioning (DP).
 Offshore Cargo handling, engine, and cargo management systems.
 Safety and security networks, such as CCTV (closed circuit television).
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 7 of 10

The extent and nature of connectivity of equipment should be known and documented
as part of the risk assessment by the vessel.

3.6.3 Risk from allowing use of personal and portable devices (BYOD)

It is recognized that personnel may be allowed to bring their own devices (BYOD) on
board to access the ships’ system or network. Although this may be both beneficial and
economical for ships, because these devices may be unmanaged, it significantly
increases the possibility of vulnerabilities being exposed. The use of such devices shall
be authorized and controlled by the Master / Ship Cyber Security Officer. Due
consideration shall be given to segregate such devices from ship’s network to avoid any
threat to ship’s IT & OT system vulnerable to cyber security threat.

3.7 Cyber Security Management of Change (MOC)

Management of Change (MOC) Process requires formal Risk Assessment to be carried

out and necessary controls put in place to bring the risk to an acceptable level. For this
purpose, the vessel shall carry out risk assessment as per FW SPF-06-04 Risk Assessment
Matrix & Severity Level.

The early identification, communication and management of change are the

responsibility of all vessel staffs associated to the change. Master / SCSO, upon
identifying a need or proposal for change, shall follow procedure as laid down in
Document No. SP-10 of shipboard Procedure and Instructions Manual.

A management of change (MOC) request shall be completed whenever a change or

activity will affect the Cyber Security of the vessel. Such scenarios would include:

 Change of Management.
 Installation of new IT or OT systems or Removal of any IT or OT systems
 Software maintenance or restoration and patch management.
 Use of devices brought by 3rd party to make changes/upgrade to IT or OT systems.
 Anti‐virus and malware installation or update.
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 8 of 10

In general, following points shall be taken into consideration for any Management of
Change (MOC) request:
 Scope ‐ Organizational, Operational, Engineering and/or Software changes.
 Level of change – Emergency, Temporary, Permanent changes.
 Levels of Authority for approval of MOC – Master, Superintendent, Group Head,
Director, MOC Committee.

Type of Change Minimum Level 1 Level 2 Level 3

Level of (1 month or (Upon 6 Permanent
Proposal present Voyage) Months)
A ) Shipboard Changes (Vessel Specific)
Adding new Master / TM or Equivalent TM or Tech
equipment, Super Equivalent Director
Hardware, or Or Higher
Software
Changes to existing Master / TM or Equivalent TM or TM or
equipment, Super Equivalent Equivalent
hardware or Or Higher
software
Structural Changes Master / TM or Equivalent TM or TM or
Super Equivalent Equivalent
Or Higher
Change in Manning Master / TM or Equivalent TM or TM or
Level Super Equivalent Equivalent
Or Higher
B ) Shipboard Changes (Fleet )
Adding new Master / TM or Equivalent TM or Tech
equipment, Super Equivalent Director
Hardware, or Or Higher
Software
Changes to existing Master / TM or Equivalent TM or TM or
equipment, Super Equivalent Equivalent
First Wave Marine Services
TITLE: Rev No: 0 Date: 23-Jul-22 Section 3: Risk
Cyber Risk Management Management
Prepared By: DPA Approved By: MD Page 9 of 10

hardware or Or Higher
softwares
Structural Changes Master / TM or Equivalent TM or TM or
Super Equivalent Equivalent
Or Higher
Change in Manning Master / TM or Equivalent TM or TM or
Level Super Equivalent Equivalent
Or Higher
TM – Technical Manager Figure 2 – Matrix for Level for proposal and approval

The proposal and approval process of MOC shall follow Company separation of duty
principles to avoid conflict of interest. Safety management implementation shall be
reviewed periodically (annually) with respect to proposed cyber security changes and
updates.